PT-2024-21641 · Decidim · Decidim
Andreslucena
·
Published
2024-07-10
·
Updated
2024-07-11
·
CVE-2024-27090
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Decidim versions prior to 0.27.6
Description
Decidim is a participatory democracy framework, written in Ruby on Rails. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded, then some data of this resource could be accessed.
Recommendations
For versions prior to 0.27.6, update to version 0.27.6 to resolve the issue.
As a temporary workaround, consider disallowing access through your web server to the URLs finished with
/embed.html until the issue is resolved.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Decidim